Cyber Incident Victim: CAFPI

On or around April 30, 2023, CAFPI, a French brokerage firm specializing in credit and loan services, detected a cyberattack on a portion of its computer network. The company, operating within a context of heightened cyber threats and despite its stated high level of system security, identified the intrusion and its internal IT service immediately mobilized. CAFPI promptly engaged external cybersecurity experts to assist in limiting the impact of the attack and to take all necessary measures. This immediate mobilization allowed for the intrusion to be quickly detected and contained. The company stated that, as a result of these actions, it was able to continue its normal business operations.

The investigation into the incident determined that certain client data had been compromised. Some of this data was subsequently published online. The compromised information consisted of personal data transmitted by clients during their exchanges with CAFPI. This included identity documents and contact details such as full names and email addresses. Furthermore, information submitted as part of financing or loan applications was also stolen. While the exact scope of this category was not fully detailed, it was suggested that it could potentially include highly sensitive documents like pay slips and bank statements, which are typically required for such financial processes.

The cybercriminal group VICE Society was identified as being responsible for the attack. The attackers successfully breached CAFPI's systems and maintained access for a period of several hours before the intrusion was contained. The specialized website Zataz reported identifying a significant volume of stolen data that had been made public online. Their findings indicated that tens of thousands of documents were exposed. Beyond client data, this published information also included internal company documents. These pertained to credit agreements, loan applications, notary notices, and information related to CAFPI's general management, works council, and human resources departments.

The primary impact of this data breach was the potential for large-scale identity theft and fraud. The nature of the stolen data, particularly identity documents and financial information, makes it highly valuable for criminals seeking to commit banking fraud, apply for credit under false identities, or conduct sophisticated phishing campaigns. CAFPI explicitly warned its clients to be extremely vigilant regarding unsolicited communications, including emails, postal mail, phone calls, or text messages. The company provided specific guidance to help clients identify potential phishing attempts, noting that legitimate CAFPI email addresses always contain the domain ‘cafpi.fr’ and advising recipients to scrutinize any communication requesting personal or banking information.

In response to the incident, CAFPI undertook a series of technical, legal, and communicative actions. A crisis cell was immediately established to oversee the technical and legal response measures. From a technical perspective, the company implemented organizational and technical measures aimed at ensuring reinforced security for client data. The compromised systems were blocked, restored, and returned to normal operation following the containment of the attack. CAFPI also initiated continuous monitoring of networks and the web.

Legally, CAFPI complied with its obligations under the General Data Protection Regulation (GDPR) by notifying the French data protection authority, the CNIL, of the personal data breach within the mandated 72-hour timeframe. The company also filed a criminal complaint with the relevant judicial authorities, specifically the Procureur de la République, to enable a formal investigation into the attack. CAFPI stated it was relying on the police forces engaged through this complaint to fully investigate the incident.

To manage customer relations and provide support, CAFPI established four dedicated call centers to assist affected clients. It also published a detailed FAQ on its website to answer common questions and provided a dedicated email address, [email protected], for inquiries. On May 23, 2023, CAFPI began sending alert emails to its client base to inform them of the breach and the potential compromise of their data. However, the company clarified that its internal investigation and external expert analysis were still ongoing. Consequently, CAFPI acknowledged it did not yet possess the precise details regarding the exact extent and volume of data stolen for each individual client. The company committed to providing more specific details to each client about their personal data loss as soon as that information became available through the continuing investigation.

A point of contention raised in external reporting concerned the security of the data itself. The website Zataz reported an apparent absence of encryption on the stolen data, which would have prevented its acquisition and subsequent dissemination by the attackers. When questioned on this specific technical point, CAFPI declined to provide details, citing confidentiality reasons and a desire to avoid providing information that could potentially facilitate further attacks by the same hackers. The aftermath of the incident focused on the significant risk to clients and the company's efforts to provide guidance and support while the full forensic analysis was completed.